Skip to content

fix(deps): follow-redirects — GHSA-r4q5-vmmm-2653 (medium)#4093

Open
kemister85 wants to merge 2 commits intomainfrom
dependabot-autopilot/alert-95
Open

fix(deps): follow-redirects — GHSA-r4q5-vmmm-2653 (medium)#4093
kemister85 wants to merge 2 commits intomainfrom
dependabot-autopilot/alert-95

Conversation

@kemister85
Copy link
Copy Markdown
Contributor

@kemister85 kemister85 commented Apr 21, 2026

⚠️ Generated by dependabot-autopilot — human review required before merge. Do not auto-merge.

What was run

This branch was produced by dependabot-autopilot, an autonomous agent that:

  1. Cloned the repo from main
  2. Analysed the Dependabot advisory and the project's manifest
  3. Edited package.json with the minimal change to resolve the vulnerability (the agent has no shell / no network access — it can only read and edit files in the workspace)
  4. Re-ran yarn install so the lockfile reflects the fix
  5. Ran the full validation suite below and only pushed the branch once validation completed
  6. Opened this PR for human review — it will never be auto-merged by the tool

Advisory

  • Alert: Update composer.md #95view
  • Advisory: GHSA-r4q5-vmmm-2653
  • Package: follow-redirects
  • Severity: medium
  • Vulnerable range: <= 1.15.11
  • Patched in: 1.16.0
  • Summary: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets

Agent summary

Perfect! The fix has been applied successfully.

Summary

I've resolved Dependabot alert #95 (GHSA-r4q5-vmmm-2653) by adding a Yarn resolutions field to package.json that forces follow-redirects to use version ^1.16.0 or later. The vulnerable package (version 1.15.6) was a transitive dependency coming through http-proxy (used by the http-server devDependency), so a direct version bump wasn't possible. The resolutions field instructs Yarn to override the transitive dependency version across the entire dependency tree, ensuring the patched version 1.16.0+ is installed instead of the vulnerable 1.15.6. When the lockfile is regenerated, it will reflect this resolution and eliminate the security vulnerability.

Validation results

Stage Result Duration Notes
yarn install (regenerates lockfile) ✅ pass 4.4s Ensures the dependency change actually takes effect
yarn build:production (Antora build) ✅ pass 23.6s Full site build must succeed
Playwright smoke (/ + dynamically discovered internal link) ✅ pass 2.7s Real Chromium, HTTP 200 + rendered content

All validation stages passed on the patched code. This is still a draft-level change — please review the diff and advisory link before merging.

Visual evidence: 2 Playwright screenshots were captured during the smoke test. They are visible on the autopilot dashboard at the run detail page.

Validation log (tail) 
=== stage: yarn install ===
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 4.29s.


=== stage: yarn build:production ===
o missing attribute: version"}
{"level":"warn","time":1776760051420,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051420,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051420,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051421,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-models.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051424,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051424,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
{"level":"warn","time":1776760051424,"name":"asciidoctor","file":{"path":"modules/ROOT/pages/tinymceai-limits.adoc"},"source":{"url":"https://github.com/tinymce/tinymce-docs.git","refname":"tinymce/8","reftype":"branch"},"msg":"skipping reference to missing attribute: version"}
Done in 23.49s.


=== stage: playwright smoke ===
GET http://127.0.0.1:4000/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/1/screenshot/01-root.png
GET http://127.0.0.1:4000/tinymce/latest/ → 200 — "TinyMCE 8 Documentation | TinyMCE Documentation"
  screenshot: /runs/1/screenshot/02-deep.png
Diff summary 
commit 00d2734c551384f5e5dbb6624bfb236c216247e3
Author: dependabot-autopilot <dependabot-autopilot@users.noreply.github.com>
Date:   Tue Apr 21 18:27:39 2026 +1000

    chore(deps): regenerate yarn.lock

 yarn.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Do not auto-merge this PR. Every change here must be reviewed by a human.

@kemister85 kemister85 requested a review from a team as a code owner April 21, 2026 08:27
@kemister85 kemister85 added the dependabot-autopilot Autonomously-drafted dependency fix — review required before merge label Apr 21, 2026
@kemister85 kemister85 added this to the dependabot-autopilot milestone Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArvinJ-H ArvinJ-H ArvinJ-H approved these changes

@lincolndennis lincolndennis Awaiting requested review from lincolndennis lincolndennis is a code owner automatically assigned from tinymce/documentation-contributors

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependabot-autopilot Autonomously-drafted dependency fix — review required before merge

Projects

None yet

Milestone

dependabot-autopilot

Development

Successfully merging this pull request may close these issues.

2 participants

@kemister85 @ArvinJ-H